On 2018/01/10 09:43, Maximilian Pichler wrote: > $ doas rdate -nvp pool.ntp.org > rdate: Unable to receive NTP packet from server: No route to host
This usually indicates either not having a route, or a firewall rule on the OpenBSD system blocking it. > $ nc -vu pool.ntp.org 123 > Connection to pool.ntp.org 123 port [udp/ntp] succeeded! It's UDP - this indicates nothing. You haven't sent anything at this point. > $ traceroute -c -p 123 pool.ntp.org > traceroute: Warning: pool.ntp.org has multiple addresses; using 203.159.70.33 > traceroute to pool.ntp.org (203.159.70.33), 64 hops max, 40 byte packets > 1 10.0.2.2 (10.0.2.2) 0.867 ms 0.349 ms 0.246 ms > 2 * * * > 3 192.168.11.1 (192.168.11.1) 2.514 ms 2.137 ms 1.786 ms > 4 125.213.235.25 (125.213.235.25) 2.848 ms 2.51 ms 2.617 ms > 5 125.213.235.17 (125.213.235.17) 5.88 ms 3.059 ms 3.211 ms > 6 * * * > 7 * * * > 8 * * * > 9 * 125.213.235.17 (125.213.235.17) 3.367 ms !X * > > Disabling pf (as well as the firewall on the host MacOS) gives > identical results. > > Also, it looks like no packets are coming back (suggested by David > Dahlberg in a private message): > $ doas tcpdump -envps1500 -i em0 port ntp or icmp > tcpdump: listening on em0, link-type EN10MB > 06:16:31.765946 08:00:27:34:76:da 52:54:00:12:35:02 0800 90: > 10.0.2.15.47084 > 203.158.247.150.123: [bad udp cksum cf8d! -> 5deb] > v4 client strat 0 poll 0 prec 0 dist 0.000000 disp 0.000000 ref > (unspec)@0.000000000 orig 0.000000000 rec -0.000000000 xmt > -34468692.156416639 [tos 0x10] (ttl 64, id 34769, len 76) > 06:16:31.766020 08:00:27:34:76:da 52:54:00:12:35:02 0800 90: > 10.0.2.15.35704 > 203.158.118.2.123: [bad udp cksum 4df9! -> 780a] v4 > client strat 0 poll 0 prec 0 dist 0.000000 disp 0.000000 ref > (unspec)@0.000000000 orig 0.000000000 rec -0.000000000 xmt > -95552486.879830002 [tos 0x10] (ttl 64, id 47214, len 76) > 06:16:31.766340 08:00:27:34:76:da 52:54:00:12:35:02 0800 90: > 10.0.2.15.31315 > 103.22.182.121.123: [bad udp cksum 29e8! -> dad3] v4 > client strat 0 poll 0 prec 0 dist 0.000000 disp 0.000000 ref > (unspec)@0.000000000 orig 0.000000000 rec -0.000000000 xmt > +1659942531.907521903 [tos 0x10] (ttl 64, id 53951, len 76) > 06:16:31.766494 08:00:27:34:76:da 52:54:00:12:35:02 0800 90: > 10.0.2.15.11278 > 203.159.70.33.123: [bad udp cksum 1e19! -> 6dc7] v4 > client strat 0 poll 0 prec 0 dist 0.000000 disp 0.000000 ref > (unspec)@0.000000000 orig 0.000000000 rec -0.000000000 xmt > +94128219.587299346 [tos 0x10] (ttl 64, id 30931, len 76) > 06:16:31.768890 52:54:00:12:35:02 08:00:27:34:76:da 0800 90: > 125.213.235.17 > 10.0.2.15: icmp: host 203.158.247.150 unreachable - > admin prohibited filter [icmp cksum ok] [tos 0xd0] (ttl 63, id 48216, > len 76) > > What is "admin prohibited filter"? Some firewalls return this for blocked packets. In this case, it seems fairly likely that it's being blocked by 125.213.235.17.
